HP study finds smartwatches could do more to keep user data safe

More transparency is needed around how data collected by smartwatch apps is used, said HP.

Smartwatches are failing people at keeping their data safe and protecting them from hackers.

Those are the findings of a study from Hewlett-Packard, whose Fortify on Demand security division tested 10 popular smartwatches. The company is in the process of alerting vendors about the flaws and can't disclose the watches it tested, said Daniel Miessler, practice principal at HP.

HP also examined the security around the Web interfaces and mobile apps that accompany smartwatches and allow a person to access the device as well as how data gathered by watch apps is protected and used.

The study found vulnerabilities with each of the watches and raised concerns over user authentication methods, data encryption and data privacy, among other issues.

Only half of the watches HP tested let users lock the device's screen, potentially allowing a stranger to access their sensitive information if the wearable was lost or stolen. Smartwatch sensors collect health data, including heart beats, and the devices store personal details like a person's name, address and birth date. Two of the watches that lack the ability to lock a screen could be paired with a smartphone other than the owner's, giving an attacker access to the wearable's data.

The smartwatches fell short when it came to encrypting data that's sent to the cloud. While the wearables used SSL and TLS security protocols to encrypt information, some relied on SSL 2.0, an older version of the protocol that's known to have security flaws. Additionally, 40 percent of the watches were vulnerable to POODLE attacks.

In some cases, vendors prioritize getting smartwatches on the market over security so measures like data encryption are overlooked. Others don't realize the dangers of transmitting data in clear text form, Miessler said.

HP questioned if there's enough transparency around how data collected by watch apps is used, saying people and app developers may not realize that information ends up on a "substantial" number of servers. This provides attackers more access points to the data, either by intercepting it in transit or going after the servers where it's stored, Miessler said. Some of the places where smartwatch data ended up included advertising and analytics networks, he added.

HP took issue with how seven of the 10 the watches processed firmware updates. Those devices were sent unencrypted updates, and while they were signed to prevent malicious files from being uploaded, this didn't prevent them from being downloaded and viewed by others.

Consumers may not realize they need to be aware of security issues around mobile apps and Web interfaces used to access smartwatches, Miessler said.